Sym helps developers solve painful access management problems with standard infrastructure tools.

Is your team experiencing:

Sym can help! This quickstart will help you launch a new access flow in under an hour. Your engineers will be able to safely and conveniently gain access to sensitive resources, all with the guardrails you need in place.

If you want to check out a demo, go here!

Workflow: AWS IAM Access

We're going to walk through setting up an access control workflow using Slack, AWS IAM and Sym. By the end of this tutorial, you'll have the ability to wrap any resource in AWS IAM with a fully-configurable request-and-approval flow, using a declaratively provisioned Slack bot.

The complete code for this tutorial can be found at @symopsio/sym-aws-iam-quickstart.

Users will interact with this Sym Flow via Slack. Slack connects to the Sym platform, which executes a Flow that use the Integrations we are wiring together in this tutorial.

End-User Workflow

Making Requests

This is what a request will look like.

Request Modal

Sym will send a request for approval to the appropriate users or channel based on your impl.py.

Approval Request

Finally, upon approval, Sym gives you access to the AWS IAM Group and updates Slack.

Approved Access

Using Escalated Privileges

Escalated users have the additional privileges granted to them by membership in the target AWS IAM Group. One common access pattern is to allow users to assume additional AWS IAM Roles when they are members of the group. Users can configure this access in their ~/.aws/credentials file using the source_profile option:

[sym-target]
role_arn = arn:aws:iam::0123456789012:role/sym-target
source_profile = my-user
region = us-east-1
role_session_name = Session_My_User

[my-user]
aws_access_key_id = ...
aws_secret_access_key = ...
region = us-east-1

To complete this tutorial, you should install Terraform, and make sure you have a working install of Python 3.

What's Next

The prod environment includes everything you need to get an AWS IAM workflow up and running. Just configure a few variables in terraform.tfvars and you're on your way!

Here's all that you'll need to do:

You'll need to work with the Sym team to get your organization set up with access to the Sym platform. Once you're onboarded, continue from here.

Install the symflow CLI

The symflow CLI is what you use to interact with Sym's control plane.

$ brew install symopsio/tap/symflow
==> Tapping symopsio/tap
Cloning into '/opt/homebrew/Library/Taps/symopsio/homebrew-tap'...
remote: Enumerating objects: 1148, done.
remote: Counting objects: 100% (285/285), done.
remote: Compressing objects: 100% (222/222), done.
remote: Total 1148 (delta 134), reused 156 (delta 59), pack-reused 863
Receiving objects: 100% (1148/1148), 324.27 KiB | 6.36 MiB/s, done.
Resolving deltas: 100% (530/530), done.
Tapped 14 formulae (43 files, 582.7KB).
==> Downloading https://github.com/symopsio/sym-flow-cli-releases/releases/download/v1.3.7/sym-flow-cli-darwin-x64.tar.gz
######################################################################## 100.0%
==> Installing symflow from symopsio/tap
🍺  /opt/homebrew/Cellar/symflow/1.3.7: 10,351 files, 198MB, built in 33 second

Login

We'll have to login before we can do anything else. Sym also supports SSO, if your organization has set it up.

$ symflow login
Sym Org: healthy-health
Username: sym-implementer@healthy-health.co
Password: ************
MFA Token: ******

Success! Welcome, Sym Implementer. 🤓

Set your Org slug

You simply have to take the slug given to you by the Sym team, and set it in environments/prod/terraform.tfvars.

# environments/prod/terraform.tfvars

sym_org_slug = "healthy-health"

Now that you've got symflow installed, you need to install Sym's Slack app into your workspace.

Grab your Workspace ID

The easiest place to find this is in the URL you see when you run Slack in your web browser. It will start with a T, and look something like TABC123.

This also goes in environments/prod/terraform.tfvars.

# environments/prod/terraform.tfvars

slack_workspace_id = "TABC123"

Provision your Slack app

symflow has a convenient way to provision an instance of Sym's Slack app. This command will generate an install link that you can either use directly, or forward on to your Workspace Administrator.

$ symflow services create --service-type slack --external-id T123ABC
Successfully set up service type slack with external ID TABC123!
Generated an installation link for the Sym Slack app:

https://static.symops.com/slack/install?token=xxx

Please send this URL to an administrator who has permission to install the app. Or, if that's you, we can open it now.

Would you like to open the Slack installation URL in a browser window? [Y/n]:

Once Slack is set up, try launching the Sym app with /sym in Slack.

You should see a welcome modal like this one, since we haven't set up a Flow yet:

Slack Welcome Modal

This Flow is set up to route access requests to the #sym-requests channel. You can change this channel in—wait for it—terraform.tfvars.

Sym will also send any errors that happen during a Run (due to external failures or config issues) to a configurable error channel. You'll never guess where you can configure this.

# environments/prod/terraform.tfvars

flow_vars = {
  request_channel = "#sym-requests"
}

You can also change the channel that errors are routed to, which defaults to #sym-errors.

# environments/prod/terraform.tfvars

error_channel = "#sym-errors"

Now that Slack is set up, let's provision your flow! The IAM Integration isn't ready quite yet, but we can at least make sure all the pipes are connected.

$ export AWS_PROFILE=my-profile
$ cd app
$ terraform init
$ terraform apply
...
Plan: 18 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

Apply complete! Resources: 18 added, 0 changed, 0 destroyed.

Try out a request!

You should be able to make a request now with /sym req, though you'll get an error when you try to approve access, since we haven't configured our AWS IAM Groups yet.

Check in your errors_channel and you should see something like this:

IAMError

Example Target

If you want to get started with an example target, then set example_target_enabled to true in terraform.tfvars. This will use the aws-iam-target module to create a Group that grants IAMReadOnly access to users, and wire this in to your flow.

Configuring Targets

You can use the aws-iam-target module to create more targets for your access flow, or simply configure existing IAM Groups that you want to use with sym by setting the iam_targets variable in terraform.tfvars.

# environments/prod/terraform.tfvars

iam_targets = [
  {
    label    = "AWS Ops Admin",
    group_name = "CHANGEME"
  }
]

Sym will try to find AWS IAM users in your AWS Account using the email address that is associated with the user in Slack. If your AWS IAM users don't use the same email addresses, you can use the symflow users tool to map from one system to the other.

Now that you've configured your AWS IAM Targets, its time to reapply your Terraform configs and validate that your integration works end-to-end.

Run a terraform apply and then request access to your IAM target. Once complete, your request should be approved with no errors!

$ terraform apply
...
Plan: 0 to add, 3 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

Apply complete! Resources: 0 added, 3 changed, 0 destroyed.

What's next?

Here are some next steps to consider: